Texas, California settle Sony BMG lawsuits; consumers win?

Sony BMG has finally settled lawsuits brought by Texas and California over the …

The Sony BMG rootkit fiasco has been a public relations nightmare for the company over the course of the last year, but the debacle is finally winding down with yesterday's announcement that Sony BMG has settled with Texas and California.

The class action suit against the company was settled months ago, but the attorneys general of Texas and California have both been pursuing separate cases against Sony BMG. Both of those cases were settled yesterday, and Sony BMG has agreed to pay $750,000 to each state and to make restitution to consumers. Anyone in Texas or California who sustained damage to a computer when attempting to remove the Sony BMG DRM software is eligible for a $175 payment. Sony BMG has also agreed to a long list of business practices, including better disclosure and easy removal of any future DRM software.

"Companies that want to load their CDs with software that limits the ability to copy music should fully inform consumers about it, not hide it, and make sure it doesn't inflict security vulnerabilities on computers," said California Attorney General Bill Lockyer in a statement.

The California agreement also requires Sony BMG to notify consumers if any of the "enhanced features" on their CDs collect IP addresses and other personally identifiable information. In the past, according to the complaint, Sony BMG installed software on users' computers that sent information back to the company in order to download advertisements related to the artist currently being listened to. These sorts of activities prompted an outcry earlier this year; researchers wondered if Sony was retaining such information to build databases on people who listened to certain artists.

To address those worries, Sony BMG this month released a "data privacy assessment" from Cybertrust that supported the company's claim that nothing untoward was done with the information collected. XCP, MediaMax 3, and MediaMax 5 all relayed some information back to headquarters, but Cybertrust found that none of it was used to "collect, aggregate or retain personally identifiable information without user consent." So that's settled then, and we can all get back to trusting faceless corporations once more.

While the Texas and California agreements are certainly good ones, it's not clear how many consumers will actually benefit from the program. To get the $175, users need to have documentation of computer repairs. What does that mean? It means that if you spent a weekend trying to uninstall XCP, then found out that your CD drive no longer worked, then reinstalled drivers, then reinstalled the OS—you get nothing. Only if you took the machine down to a repair shop, coughed up cash, and then kept the receipt will you get paid. Consumers without such documentation only get $25.

The states, by contrast, are pulling in a combined $1.5 million for their efforts, money that will go to the attorneys general and to the Los Angeles County District Attorney's office.